1. The Field of the Invention
The present invention relates to network taps for providing access to network data for analysis purposes. In particular, the invention relates to a network tap having integrated circuitry that permits device data from an attached device to be transmitted onto the network, and for obtaining statistics about the network data.
2. The Relevant Technology
In recent years, it has been desirable to be able to monitor and analyze the data flow in communication channels between and within networks. Some of these reasons include monitoring the communication channel for certain types of data, identifying and diagnosing network problems, detecting interruptions in the communication channel, detecting degradation in the communication channel, and the like. Thus, network taps, which are systems for tapping into communication lines, have been developed.
In general, a network tap is a device that is positioned in-line in a communication line and enables network analyzers or other devices to have access to a copy of the data transmitted over the communication line. A network tap is typically installed by physically cutting or breaking a network cable and positioning the tap between the two ends of the network cable. Once the tap is installed, network analyzers or other devices can access the network data without having to manipulate the network cable or altering the topology of the network. Moreover, conventional network taps enable access to the network data without disrupting or modifying the network data or the topology of the network.
Systems using conductors composed of metallic materials such as copper or other low resistance metals have generally been relatively easy to monitor and evaluate without great disruption or intrusion into the communication channel since current flows throughout the entire conductor and portions of the conductor can be externally tapped with another conductor attached to the test equipment that bleeds off a negligible amount of test current.
Additionally, optical fibers that transmit light have also been used as communication channel medium and have proven to be advantageous for the transmission of large amounts of information, both in digital and analog form. Optical fibers, unlike metallic conductors, propagate the information signal in a constrained directional path. Furthermore, the optical signal propagates down a very narrow internal portion of the conductor, making the non-intrusive external tapping of the fiber impractical. Therefore, in order to monitor data transmitted on an optical fiber, a splitter, also known as a coupler, must be placed in-line with the optical fiber to reflect a portion of the light from the main optical fiber to another optical fiber that can be coupled to a network analyzer or other test equipment.
In recent years, various types of attached devices have been developed for connecting to network taps. That is, network taps have been used for reasons other than simply monitoring a communication line. For example, the market for network security systems has also increased and is expected to continue to rise over the next few years. Indeed, security systems are almost a necessity in any enterprise local area network system to prevent unwanted intrusions by unauthorized people. Security systems typically comprise a firewall and/or an intrusion detection system. A firewall generally consists of one or more filters placed in the flow of communication to block the transmission of certain classes of traffic. Alternatively, a firewall may consist of one or more gateways that permit traffic flow into a network system. However, firewalls are sometimes defeated, which can result in unauthorized individuals gaining access to the network.
Intrusion detection systems are network security devices that identify suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise the network. For example, an intrusion detection system may be implemented to prevent against, among other things, access by hackers or deployment of viruses. In order to detect such intrusions, the intrusion detection system must have access to the data flow in a communication line that is in communication with the firewall. The intrusion detection system analyzes the data for indicia of intrusions.
Firewalls and intrusion detection/prevention systems are usually appliances or software applications implemented on servers or client computers in a network. When implemented as an appliance, a firewall and an intrusion detection system are usually separate devices connected to each other and to the network through multiple communication lines and/or switches.
An exemplary security system 10 of the prior art is shown in FIG. 1. System 10 includes a firewall 12 and tap 14 disposed in communication with a communication line 16. Communication line 16 comprises an incoming communication line 18 and an outgoing communication line 20, which are typically bundled in a single cable, such as an RJ-45 Ethernet cable. Firewall 12 and tap 14 are generally placed in a strategic location between the other infrastructure of local area network 11 and Internet 15. Communication line 16 is connected to an intrusion detection system 22 and a dedicated network analyzer or other testing equipment 24 through tap 14. That is, tap 14 includes couplers 26, 28 or other components that enable intrusion detection system 22 and testing equipment 24 to be placed in communication with the data flow in communication line 16.
Tap 14 may be configured to allow access to data transmitted over either a metallic conductive or an optical fiber communication line 16 as will be understood by those of skill in the art. In general, network taps, such as tap 14, transmit data obtained from communication line 16 in a uni-directional manner to connected devices which, in the example illustrated in FIG. 1, include the intrusion detection system 22 and the testing equipment 24. Conventional network tap 14 does not permit devices connected thereto to transmit data onto communication line 16. Network taps were originally developed to enable testing equipment to access network data and it has generally been understood that network taps should not modify the data on communication line 14 and/or 16 or add data thereto. Indeed, conventional network taps do not have a network presence, meaning that they are transparent to other devices on the network and the network operates as if the network tap did not exist. Thus, the flow of data over communication lines 19, 21, 23 and 25 to devices that access the network via tap 14 is uni-directional and the backflow of data to communication line 16 through tap 14 is prohibited.
With the advent of intrusion detection systems, network taps began to be used to provide such intrusion detection systems with access to network data. However, because conventional network taps permit only uni-directional data flow to connected devices, intrusion detection systems have been configured to communicate with the firewall through an additional external, or out-of-band, communication line 30. A switch 32 (e.g., an Ethernet switch) is positioned on communication line 30 to direct data packets to firewall 12. This architecture enables intrusion detection system 22 to identify indicia of unauthorized access and to issue TCP session reset commands or “kill” packets to firewall 12 to prevent additional unauthorized access. In fact, the intrusion detection system 22 can send any type of authorized packets through tap 14 to the firewall 12 and the LAN 11 as necessary. In the case of “kill” packets, kill packets are generated in pairs—one being destined for the firewall and the other for the server under attack. Each packet contains the source and destination addresses of the firewall and server so that each device responds to the kill packets as valid commands to terminate the session at the request of the opposite device.
It will be appreciated that the additional communication line 30 and switch 32 between intrusion detection system 30 and firewall 12 presents additional hardware that needs to be purchased and configured. Furthermore, switch 32 is often expensive. It would thus be an advantage to reduce the number of communication lines required to connect a communication line evaluation device, an intrusion detection system and/or firewall to a network. Furthermore, it would be an advantage to reduce the expense of having an extra switch to allow the intrusion detection system to communicate with the firewall.
The system 10 illustrates that it would be an advantage to allow any attached device (intrusion detection system 22 or testing equipment 24) to be enabled to send information back through the network tap.
System 10 also illustrates that network taps of the prior art have largely remained passive devices, simply as a means for allowing attached devices to view the network data. However, it would be an advantage to allow attached devices to be able to extract statistics of the network data and use these statistics as a basis for additional functions. It would also be an advantage to be able to upgrade or program a network tap after it has been connected to a network system without having to disconnect the network tap or replace the network tap in order to provide other functionalities.